Blog: How will personal data continue to flow after Brexit?

Elizabeth Denham's latest blog busts the myths for UK small and medium sized businesses transferring personal data to and from the EEA

Like everyone in the UK right now, we are following the twists and turns of the Brexit negotiations. The sharing of customers’, citizens’ and employees’ personal data between EU member states and the UK is vital for business supply chains to function and public authorities to deliver effective public services.

At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer term solution can be put in place.

However in the event of ‘no deal’, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.

With less than two months to go until the UK leaves the EU, we recognise that businesses and organisations are concerned. My latest myth busting blog challenges some of the misconceptions about what a ‘no deal’ Brexit will mean for UK companies transferring personal data to and from the EEA.

Myth #1: Brexit will stop me from transferring personal information from the UK to the EU altogether.

Fact

In a ‘no deal’ situation the UK Government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But transfers of personal data from the EEA to the UK will be affected.

The key question around the flow of personal data, is whether your data is going from the UK to the EEA or exchanged both ways? If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going.

Myth #3: Brexit will only affect data transfers of UK companies actually exporting goods or services to the EU.

Fact

Personal data transfers are not about whether your business is exporting or importing goods. You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’.

Myth #4: My business will be fine because there will be a European Commission adequacy decision on exit day on 29 March 2019 to ensure the uninterrupted exchanges of personal data between the UK and the EU.

Fact

‘Adequacy’ is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU. But an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months.

Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.

Myth #5: Our parent company in Europe keeps all our personal data records centrally so I don’t need to worry about sorting any new agreements.

Fact

Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. You will need to assess whether you need to take action.

You know your organisation best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place.

It is in everyone’s interests that appropriate exchanges of personal data continue whatever the outcome of Brexit. The ICO will carry on co-operating internationally to ensure protections are in place for personal data and organisations have the right advice and guidance.